"Davis and the Jake-Man" is a technology news website discussing subjects of note in the IT industry.

8.04.2016

Yahoo Investigates Leaked Credentials

Has Neither Confirmed Nor Denied a Breach

On Monday, a hacker going by “peace_of_mind” or simply “Peace” advertised about 200 million Yahoo credentials on the Dark Web. The leak allegedly contains usernames, hashed (scrambled) passwords, birthdates and in some cases, backup email addresses. Peace is offering the entire database for 3 bitcoins, or about $1800. As of this writing, Yahoo has not confirmed or denied a breach, but is investigating.

The hacker has posted a sample of the database online, and the passwords are hashed with the Message Digest 5 (MD5) algorithm. A hashing algorithm is a series of complicated math steps which turns an input (the passwords) into another set of characters which are much less readable.

This will keep average people from reading your password, but depending on the algorithm used, your password is not much safer. MD5 has been broken for years. Rainbow tables holding long lists of passwords and their hashes are readily available online, and automated tools can reverse MD5 hashing instantly.

As of now, the source of the breach is unknown. Peace has claimed that this breach, along with ones for MySpace, LinkedIn and Tumblr, were the acts of a Russian group. Yahoo has not issued a password reset yet, which is often the first step after notifying users. But still, better to be safe than sorry. If you haven’t changed your Yahoo password in some time, or share that old password between accounts, now might be a good time.